From 3fc35d07d399e78355a98a9fcb304088efb0754f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 1 Apr 2013 14:37:40 -0700 Subject: [PATCH] 3.4-stable patches added patches: mwifiex-cancel-cmd-timer-and-free-curr_cmd-in-shutdown-process.patch net-irda-add-missing-error-path-release_sock-call.patch pnfs-block-removing-dm-device-maybe-cause-oops-when-call-dev_remove.patch tty-atmel_serial_probe-index-of-atmel_ports-fix.patch usb-ehci-fix-bug-in-itd-sitd-dma-pool-allocation.patch usb-ftdi_sio-add-support-for-mitsubishi-fx-usb-aw-bd.patch usb-xhci-fix-trb-transfer-length-macro-used-for-event-trb.patch vt-synchronize_rcu-under-spinlock-is-not-nice.patch xen-blkback-correctly-respond-to-unknown-non-native-requests.patch xen-blkback-fix-dispatch_rw_block_io-error-path.patch --- ...nd-free-curr_cmd-in-shutdown-process.patch | 40 ++++ ...missing-error-path-release_sock-call.patch | 36 ++++ ...aybe-cause-oops-when-call-dev_remove.patch | 43 +++++ queue-3.4/series | 20 +- ...erial_probe-index-of-atmel_ports-fix.patch | 59 ++++++ ...-bug-in-itd-sitd-dma-pool-allocation.patch | 86 +++++++++ ...-support-for-mitsubishi-fx-usb-aw-bd.patch | 49 +++++ ...sfer-length-macro-used-for-event-trb.patch | 131 +++++++++++++ ...onize_rcu-under-spinlock-is-not-nice.patch | 45 +++++ ...spond-to-unknown-non-native-requests.patch | 177 ++++++++++++++++++ ...-fix-dispatch_rw_block_io-error-path.patch | 49 +++++ 11 files changed, 730 insertions(+), 5 deletions(-) create mode 100644 queue-3.4/mwifiex-cancel-cmd-timer-and-free-curr_cmd-in-shutdown-process.patch create mode 100644 queue-3.4/net-irda-add-missing-error-path-release_sock-call.patch create mode 100644 queue-3.4/pnfs-block-removing-dm-device-maybe-cause-oops-when-call-dev_remove.patch create mode 100644 queue-3.4/tty-atmel_serial_probe-index-of-atmel_ports-fix.patch create mode 100644 queue-3.4/usb-ehci-fix-bug-in-itd-sitd-dma-pool-allocation.patch create mode 100644 queue-3.4/usb-ftdi_sio-add-support-for-mitsubishi-fx-usb-aw-bd.patch create mode 100644 queue-3.4/usb-xhci-fix-trb-transfer-length-macro-used-for-event-trb.patch create mode 100644 queue-3.4/vt-synchronize_rcu-under-spinlock-is-not-nice.patch create mode 100644 queue-3.4/xen-blkback-correctly-respond-to-unknown-non-native-requests.patch create mode 100644 queue-3.4/xen-blkback-fix-dispatch_rw_block_io-error-path.patch diff --git a/queue-3.4/mwifiex-cancel-cmd-timer-and-free-curr_cmd-in-shutdown-process.patch b/queue-3.4/mwifiex-cancel-cmd-timer-and-free-curr_cmd-in-shutdown-process.patch new file mode 100644 index 00000000000..50019105a8d --- /dev/null +++ b/queue-3.4/mwifiex-cancel-cmd-timer-and-free-curr_cmd-in-shutdown-process.patch @@ -0,0 +1,40 @@ +From 084c7189acb3f969c855536166042e27f5dd703f Mon Sep 17 00:00:00 2001 +From: Bing Zhao +Date: Fri, 15 Mar 2013 18:47:07 -0700 +Subject: mwifiex: cancel cmd timer and free curr_cmd in shutdown process + +From: Bing Zhao + +commit 084c7189acb3f969c855536166042e27f5dd703f upstream. + +curr_cmd points to the command that is in processing or waiting +for its command response from firmware. If the function shutdown +happens to occur at this time we should cancel the cmd timer and +put the command back to free queue. + +Tested-by: Marco Cesarano +Signed-off-by: Bing Zhao +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/init.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/net/wireless/mwifiex/init.c ++++ b/drivers/net/wireless/mwifiex/init.c +@@ -584,6 +584,14 @@ mwifiex_shutdown_drv(struct mwifiex_adap + return ret; + } + ++ /* cancel current command */ ++ if (adapter->curr_cmd) { ++ dev_warn(adapter->dev, "curr_cmd is still in processing\n"); ++ del_timer(&adapter->cmd_timer); ++ mwifiex_insert_cmd_to_free_q(adapter, adapter->curr_cmd); ++ adapter->curr_cmd = NULL; ++ } ++ + /* shut down mwifiex */ + dev_dbg(adapter->dev, "info: shutdown mwifiex...\n"); + diff --git a/queue-3.4/net-irda-add-missing-error-path-release_sock-call.patch b/queue-3.4/net-irda-add-missing-error-path-release_sock-call.patch new file mode 100644 index 00000000000..3db28376475 --- /dev/null +++ b/queue-3.4/net-irda-add-missing-error-path-release_sock-call.patch @@ -0,0 +1,36 @@ +From 896ee0eee6261e30c3623be931c3f621428947df Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 20 Mar 2013 05:19:24 +0000 +Subject: net/irda: add missing error path release_sock call + +From: Kees Cook + +commit 896ee0eee6261e30c3623be931c3f621428947df upstream. + +This makes sure that release_sock is called for all error conditions in +irda_getsockopt. + +Signed-off-by: Kees Cook +Reported-by: Brad Spengler +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/irda/af_irda.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -2584,8 +2584,10 @@ bed: + NULL, NULL, NULL); + + /* Check if the we got some results */ +- if (!self->cachedaddr) +- return -EAGAIN; /* Didn't find any devices */ ++ if (!self->cachedaddr) { ++ err = -EAGAIN; /* Didn't find any devices */ ++ goto out; ++ } + daddr = self->cachedaddr; + /* Cleanup */ + self->cachedaddr = 0; diff --git a/queue-3.4/pnfs-block-removing-dm-device-maybe-cause-oops-when-call-dev_remove.patch b/queue-3.4/pnfs-block-removing-dm-device-maybe-cause-oops-when-call-dev_remove.patch new file mode 100644 index 00000000000..fc340d97090 --- /dev/null +++ b/queue-3.4/pnfs-block-removing-dm-device-maybe-cause-oops-when-call-dev_remove.patch @@ -0,0 +1,43 @@ +From 4376c94618c26225e69e17b7c91169c45a90b292 Mon Sep 17 00:00:00 2001 +From: fanchaoting +Date: Thu, 21 Mar 2013 09:15:30 +0800 +Subject: pnfs-block: removing DM device maybe cause oops when call dev_remove + +From: fanchaoting + +commit 4376c94618c26225e69e17b7c91169c45a90b292 upstream. + +when pnfs block using device mapper,if umounting later,it maybe +cause oops. we apply "1 + sizeof(bl_umount_request)" memory for +msg->data, the memory maybe overflow when we do "memcpy(&dataptr +[sizeof(bl_msg)], &bl_umount_request, sizeof(bl_umount_request))", +because the size of bl_msg is more than 1 byte. + +Signed-off-by: fanchaoting +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/blocklayout/blocklayoutdm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfs/blocklayout/blocklayoutdm.c ++++ b/fs/nfs/blocklayout/blocklayoutdm.c +@@ -55,7 +55,8 @@ static void dev_remove(struct net *net, + + bl_pipe_msg.bl_wq = &nn->bl_wq; + memset(msg, 0, sizeof(*msg)); +- msg->data = kzalloc(1 + sizeof(bl_umount_request), GFP_NOFS); ++ msg->len = sizeof(bl_msg) + bl_msg.totallen; ++ msg->data = kzalloc(msg->len, GFP_NOFS); + if (!msg->data) + goto out; + +@@ -66,7 +67,6 @@ static void dev_remove(struct net *net, + memcpy(msg->data, &bl_msg, sizeof(bl_msg)); + dataptr = (uint8_t *) msg->data; + memcpy(&dataptr[sizeof(bl_msg)], &bl_umount_request, sizeof(bl_umount_request)); +- msg->len = sizeof(bl_msg) + bl_msg.totallen; + + add_wait_queue(&nn->bl_wq, &wq); + if (rpc_queue_upcall(nn->bl_device_pipe, msg) < 0) { diff --git a/queue-3.4/series b/queue-3.4/series index 06a1371c429..2451c0d2c8f 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -5,13 +5,23 @@ bluetooth-add-support-for-dell.patch bluetooth-add-support-for-dell_2.patch staging-comedi-s626-fix-continuous-acquisition.patch sysfs-fix-race-between-readdir-and-lseek.patch -b43-n-phy-increase-initial-value-of-mind-in-rssi-calibration.patch -b43-a-fix-for-dma-transmission-sequence-errors.patch -b43-n-phy-use-more-bits-for-offset-in-rssi-calibration.patch -tg3-fix-length-overflow-in-vpd-firmware-parsing.patch -iommu-amd-make-sure-dma_ops-are-set-for-hotplug-devices.patch sysfs-handle-failure-path-correctly-for-readdir.patch can-sja1000-fix-define-conflict-on-sh.patch ath9k_hw-revert-chainmask-to-user-configuration-after-calibration.patch hid-usbhid-quirk-for-realtek-multi-card-reader.patch rtlwifi-usb-add-missing-freeing-of-skbuff.patch +b43-n-phy-increase-initial-value-of-mind-in-rssi-calibration.patch +b43-a-fix-for-dma-transmission-sequence-errors.patch +b43-n-phy-use-more-bits-for-offset-in-rssi-calibration.patch +tg3-fix-length-overflow-in-vpd-firmware-parsing.patch +iommu-amd-make-sure-dma_ops-are-set-for-hotplug-devices.patch +xen-blkback-correctly-respond-to-unknown-non-native-requests.patch +xen-blkback-fix-dispatch_rw_block_io-error-path.patch +tty-atmel_serial_probe-index-of-atmel_ports-fix.patch +usb-ftdi_sio-add-support-for-mitsubishi-fx-usb-aw-bd.patch +vt-synchronize_rcu-under-spinlock-is-not-nice.patch +mwifiex-cancel-cmd-timer-and-free-curr_cmd-in-shutdown-process.patch +pnfs-block-removing-dm-device-maybe-cause-oops-when-call-dev_remove.patch +net-irda-add-missing-error-path-release_sock-call.patch +usb-ehci-fix-bug-in-itd-sitd-dma-pool-allocation.patch +usb-xhci-fix-trb-transfer-length-macro-used-for-event-trb.patch diff --git a/queue-3.4/tty-atmel_serial_probe-index-of-atmel_ports-fix.patch b/queue-3.4/tty-atmel_serial_probe-index-of-atmel_ports-fix.patch new file mode 100644 index 00000000000..eb5dd5f62b5 --- /dev/null +++ b/queue-3.4/tty-atmel_serial_probe-index-of-atmel_ports-fix.patch @@ -0,0 +1,59 @@ +From 503bded92da283b2f31d87e054c4c6d30c3c2340 Mon Sep 17 00:00:00 2001 +From: Pawel Wieczorkiewicz +Date: Wed, 20 Feb 2013 17:26:20 +0100 +Subject: tty: atmel_serial_probe(): index of atmel_ports[] fix + +From: Pawel Wieczorkiewicz + +commit 503bded92da283b2f31d87e054c4c6d30c3c2340 upstream. + +Index of atmel_ports[ATMEL_MAX_UART] should be smaller +than ATMEL_MAX_UART. + +Signed-off-by: Pawel Wieczorkiewicz +Acked-by: Nicolas Ferre +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/atmel_serial.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -159,7 +159,7 @@ struct atmel_uart_port { + }; + + static struct atmel_uart_port atmel_ports[ATMEL_MAX_UART]; +-static unsigned long atmel_ports_in_use; ++static DECLARE_BITMAP(atmel_ports_in_use, ATMEL_MAX_UART); + + #ifdef SUPPORT_SYSRQ + static struct console atmel_console; +@@ -1785,15 +1785,14 @@ static int __devinit atmel_serial_probe( + if (ret < 0) + /* port id not found in platform data nor device-tree aliases: + * auto-enumerate it */ +- ret = find_first_zero_bit(&atmel_ports_in_use, +- sizeof(atmel_ports_in_use)); ++ ret = find_first_zero_bit(atmel_ports_in_use, ATMEL_MAX_UART); + +- if (ret > ATMEL_MAX_UART) { ++ if (ret >= ATMEL_MAX_UART) { + ret = -ENODEV; + goto err; + } + +- if (test_and_set_bit(ret, &atmel_ports_in_use)) { ++ if (test_and_set_bit(ret, atmel_ports_in_use)) { + /* port already in use */ + ret = -EBUSY; + goto err; +@@ -1867,7 +1866,7 @@ static int __devexit atmel_serial_remove + + /* "port" is allocated statically, so we shouldn't free it */ + +- clear_bit(port->line, &atmel_ports_in_use); ++ clear_bit(port->line, atmel_ports_in_use); + + clk_put(atmel_port->clk); + diff --git a/queue-3.4/usb-ehci-fix-bug-in-itd-sitd-dma-pool-allocation.patch b/queue-3.4/usb-ehci-fix-bug-in-itd-sitd-dma-pool-allocation.patch new file mode 100644 index 00000000000..86fffa595d9 --- /dev/null +++ b/queue-3.4/usb-ehci-fix-bug-in-itd-sitd-dma-pool-allocation.patch @@ -0,0 +1,86 @@ +From 85ecd0322b9a1a9f451d9150e9460ab42fd17219 Mon Sep 17 00:00:00 2001 +From: Soeren Moch +Date: Fri, 22 Mar 2013 12:16:52 -0400 +Subject: USB: EHCI: fix bug in iTD/siTD DMA pool allocation + +From: Soeren Moch + +commit 85ecd0322b9a1a9f451d9150e9460ab42fd17219 upstream. + +[Description written by Alan Stern] + +Soeren tracked down a very difficult bug in ehci-hcd's DMA pool +management of iTD and siTD structures. Some background: ehci-hcd +gives each isochronous endpoint its own set of active and free itd's +(or sitd's for full-speed devices). When a new itd is needed, it is +taken from the head of the free list, if possible. However, itd's +must not be used twice in a single frame because the hardware +continues to access the data structure for the entire duration of a +frame. Therefore if the itd at the head of the free list has its +"frame" member equal to the current value of ehci->now_frame, it +cannot be reused and instead a new itd is allocated from the DMA pool. +The entries on the free list are not released back to the pool until +the endpoint is no longer in use. + +The bug arises from the fact that sometimes an itd can be moved back +onto the free list before itd->frame has been set properly. In +Soeren's case, this happened because ehci-hcd can allocate one more +itd than it actually needs for an URB; the extra itd may or may not be +required depending on how the transfer aligns with a frame boundary. +For example, an URB with 8 isochronous packets will cause two itd's to +be allocated. If the URB is scheduled to start in microframe 3 of +frame N then it will require both itds: one for microframes 3 - 7 of +frame N and one for microframes 0 - 2 of frame N+1. But if the URB +had been scheduled to start in microframe 0 then it would require only +the first itd, which could cover microframes 0 - 7 of frame N. The +second itd would be returned to the end of the free list. + +The itd allocation routine initializes the entire structure to 0, so +the extra itd ends up on the free list with itd->frame set to 0 +instead of a meaningful value. After a while the itd reaches the head +of the list, and occasionally this happens when ehci->now_frame is +equal to 0. Then, even though it would be okay to reuse this itd, the +driver thinks it must get another itd from the DMA pool. + +For as long as the isochronous endpoint remains in use, this flaw in +the mechanism causes more and more itd's to be taken slowly from the +DMA pool. Since none are released back, the pool eventually becomes +exhausted. + +This reuslts in memory allocation failures, which typically show up +during a long-running audio stream. Video might suffer the same +effect. + +The fix is very simple. To prevent allocations from the pool when +they aren't needed, make sure that itd's sent back to the free list +prematurely have itd->frame set to an invalid value which can never be +equal to ehci->now_frame. + +This should be applied to -stable kernels going back to 3.6. + +Signed-off-by: Soeren Moch +Signed-off-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-sched.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/host/ehci-sched.c ++++ b/drivers/usb/host/ehci-sched.c +@@ -1280,6 +1280,7 @@ itd_urb_transaction ( + + memset (itd, 0, sizeof *itd); + itd->itd_dma = itd_dma; ++ itd->frame = 9999; /* an invalid value */ + list_add (&itd->itd_list, &sched->td_list); + } + spin_unlock_irqrestore (&ehci->lock, flags); +@@ -1979,6 +1980,7 @@ sitd_urb_transaction ( + + memset (sitd, 0, sizeof *sitd); + sitd->sitd_dma = sitd_dma; ++ sitd->frame = 9999; /* an invalid value */ + list_add (&sitd->sitd_list, &iso_sched->td_list); + } + diff --git a/queue-3.4/usb-ftdi_sio-add-support-for-mitsubishi-fx-usb-aw-bd.patch b/queue-3.4/usb-ftdi_sio-add-support-for-mitsubishi-fx-usb-aw-bd.patch new file mode 100644 index 00000000000..e1eefa36f32 --- /dev/null +++ b/queue-3.4/usb-ftdi_sio-add-support-for-mitsubishi-fx-usb-aw-bd.patch @@ -0,0 +1,49 @@ +From 482b0b5d82bd916cc0c55a2abf65bdc69023b843 Mon Sep 17 00:00:00 2001 +From: Konstantin Holoborodko +Date: Fri, 29 Mar 2013 00:06:13 +0900 +Subject: usb: ftdi_sio: Add support for Mitsubishi FX-USB-AW/-BD + +From: Konstantin Holoborodko + +commit 482b0b5d82bd916cc0c55a2abf65bdc69023b843 upstream. + +It enhances the driver for FTDI-based USB serial adapters +to recognize Mitsubishi Electric Corp. USB/RS422 Converters +as FT232BM chips and support them. +https://search.meau.com/?q=FX-USB-AW + +Signed-off-by: Konstantin Holoborodko +Tested-by: Konstantin Holoborodko +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 1 + + drivers/usb/serial/ftdi_sio_ids.h | 7 +++++++ + 2 files changed, 8 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -648,6 +648,7 @@ static struct usb_device_id id_table_com + { USB_DEVICE(FTDI_VID, FTDI_RM_CANVIEW_PID) }, + { USB_DEVICE(ACTON_VID, ACTON_SPECTRAPRO_PID) }, + { USB_DEVICE(CONTEC_VID, CONTEC_COM1USBH_PID) }, ++ { USB_DEVICE(MITSUBISHI_VID, MITSUBISHI_FXUSB_PID) }, + { USB_DEVICE(BANDB_VID, BANDB_USOTL4_PID) }, + { USB_DEVICE(BANDB_VID, BANDB_USTL4_PID) }, + { USB_DEVICE(BANDB_VID, BANDB_USO9ML2_PID) }, +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -584,6 +584,13 @@ + #define CONTEC_COM1USBH_PID 0x8311 /* COM-1(USB)H */ + + /* ++ * Mitsubishi Electric Corp. (http://www.meau.com) ++ * Submitted by Konstantin Holoborodko ++ */ ++#define MITSUBISHI_VID 0x06D3 ++#define MITSUBISHI_FXUSB_PID 0x0284 /* USB/RS422 converters: FX-USB-AW/-BD */ ++ ++/* + * Definitions for B&B Electronics products. + */ + #define BANDB_VID 0x0856 /* B&B Electronics Vendor ID */ diff --git a/queue-3.4/usb-xhci-fix-trb-transfer-length-macro-used-for-event-trb.patch b/queue-3.4/usb-xhci-fix-trb-transfer-length-macro-used-for-event-trb.patch new file mode 100644 index 00000000000..2efe19607cf --- /dev/null +++ b/queue-3.4/usb-xhci-fix-trb-transfer-length-macro-used-for-event-trb.patch @@ -0,0 +1,131 @@ +From 1c11a172cb30492f5f6a82c6e118fdcd9946c34f Mon Sep 17 00:00:00 2001 +From: Vivek Gautam +Date: Thu, 21 Mar 2013 12:06:48 +0530 +Subject: usb: xhci: Fix TRB transfer length macro used for Event TRB. + +From: Vivek Gautam + +commit 1c11a172cb30492f5f6a82c6e118fdcd9946c34f upstream. + +Use proper macro while extracting TRB transfer length from +Transfer event TRBs. Adding a macro EVENT_TRB_LEN (bits 0:23) +for the same, and use it instead of TRB_LEN (bits 0:16) in +case of event TRBs. + +This patch should be backported to kernels as old as 2.6.31, that +contain the commit b10de142119a676552df3f0d2e3a9d647036c26a "USB: xhci: +Bulk transfer support". This patch will have issues applying to older +kernels. + +Signed-off-by: Vivek gautam +Signed-off-by: Sarah Sharp +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 24 ++++++++++++------------ + drivers/usb/host/xhci.h | 4 ++++ + 2 files changed, 16 insertions(+), 12 deletions(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -2027,8 +2027,8 @@ static int process_ctrl_td(struct xhci_h + if (event_trb != ep_ring->dequeue && + event_trb != td->last_trb) + td->urb->actual_length = +- td->urb->transfer_buffer_length +- - TRB_LEN(le32_to_cpu(event->transfer_len)); ++ td->urb->transfer_buffer_length - ++ EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)); + else + td->urb->actual_length = 0; + +@@ -2060,7 +2060,7 @@ static int process_ctrl_td(struct xhci_h + /* Maybe the event was for the data stage? */ + td->urb->actual_length = + td->urb->transfer_buffer_length - +- TRB_LEN(le32_to_cpu(event->transfer_len)); ++ EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)); + xhci_dbg(xhci, "Waiting for status " + "stage event\n"); + return 0; +@@ -2096,7 +2096,7 @@ static int process_isoc_td(struct xhci_h + /* handle completion code */ + switch (trb_comp_code) { + case COMP_SUCCESS: +- if (TRB_LEN(le32_to_cpu(event->transfer_len)) == 0) { ++ if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) == 0) { + frame->status = 0; + break; + } +@@ -2141,7 +2141,7 @@ static int process_isoc_td(struct xhci_h + len += TRB_LEN(le32_to_cpu(cur_trb->generic.field[2])); + } + len += TRB_LEN(le32_to_cpu(cur_trb->generic.field[2])) - +- TRB_LEN(le32_to_cpu(event->transfer_len)); ++ EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)); + + if (trb_comp_code != COMP_STOP_INVAL) { + frame->actual_length = len; +@@ -2199,7 +2199,7 @@ static int process_bulk_intr_td(struct x + case COMP_SUCCESS: + /* Double check that the HW transferred everything. */ + if (event_trb != td->last_trb || +- TRB_LEN(le32_to_cpu(event->transfer_len)) != 0) { ++ EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) != 0) { + xhci_warn(xhci, "WARN Successful completion " + "on short TX\n"); + if (td->urb->transfer_flags & URB_SHORT_NOT_OK) +@@ -2227,18 +2227,18 @@ static int process_bulk_intr_td(struct x + "%d bytes untransferred\n", + td->urb->ep->desc.bEndpointAddress, + td->urb->transfer_buffer_length, +- TRB_LEN(le32_to_cpu(event->transfer_len))); ++ EVENT_TRB_LEN(le32_to_cpu(event->transfer_len))); + /* Fast path - was this the last TRB in the TD for this URB? */ + if (event_trb == td->last_trb) { +- if (TRB_LEN(le32_to_cpu(event->transfer_len)) != 0) { ++ if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) != 0) { + td->urb->actual_length = + td->urb->transfer_buffer_length - +- TRB_LEN(le32_to_cpu(event->transfer_len)); ++ EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)); + if (td->urb->transfer_buffer_length < + td->urb->actual_length) { + xhci_warn(xhci, "HC gave bad length " + "of %d bytes left\n", +- TRB_LEN(le32_to_cpu(event->transfer_len))); ++ EVENT_TRB_LEN(le32_to_cpu(event->transfer_len))); + td->urb->actual_length = 0; + if (td->urb->transfer_flags & URB_SHORT_NOT_OK) + *status = -EREMOTEIO; +@@ -2280,7 +2280,7 @@ static int process_bulk_intr_td(struct x + if (trb_comp_code != COMP_STOP_INVAL) + td->urb->actual_length += + TRB_LEN(le32_to_cpu(cur_trb->generic.field[2])) - +- TRB_LEN(le32_to_cpu(event->transfer_len)); ++ EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)); + } + + return finish_td(xhci, td, event_trb, event, ep, status, false); +@@ -2366,7 +2366,7 @@ static int handle_tx_event(struct xhci_h + * transfer type + */ + case COMP_SUCCESS: +- if (TRB_LEN(le32_to_cpu(event->transfer_len)) == 0) ++ if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) == 0) + break; + if (xhci->quirks & XHCI_TRUST_TX_LENGTH) + trb_comp_code = COMP_SHORT_TX; +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -968,6 +968,10 @@ struct xhci_transfer_event { + __le32 flags; + }; + ++/* Transfer event TRB length bit mask */ ++/* bits 0:23 */ ++#define EVENT_TRB_LEN(p) ((p) & 0xffffff) ++ + /** Transfer Event bit fields **/ + #define TRB_TO_EP_ID(p) (((p) >> 16) & 0x1f) + diff --git a/queue-3.4/vt-synchronize_rcu-under-spinlock-is-not-nice.patch b/queue-3.4/vt-synchronize_rcu-under-spinlock-is-not-nice.patch new file mode 100644 index 00000000000..7085ea7cecd --- /dev/null +++ b/queue-3.4/vt-synchronize_rcu-under-spinlock-is-not-nice.patch @@ -0,0 +1,45 @@ +From e8cd81693bbbb15db57d3c9aa7dd90eda4842874 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Tue, 26 Mar 2013 20:30:17 -0400 +Subject: vt: synchronize_rcu() under spinlock is not nice... + +From: Al Viro + +commit e8cd81693bbbb15db57d3c9aa7dd90eda4842874 upstream. + +vcs_poll_data_free() calls unregister_vt_notifier(), which calls +atomic_notifier_chain_unregister(), which calls synchronize_rcu(). +Do it *after* we'd dropped ->f_lock. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vc_screen.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/tty/vt/vc_screen.c ++++ b/drivers/tty/vt/vc_screen.c +@@ -93,7 +93,7 @@ vcs_poll_data_free(struct vcs_poll_data + static struct vcs_poll_data * + vcs_poll_data_get(struct file *file) + { +- struct vcs_poll_data *poll = file->private_data; ++ struct vcs_poll_data *poll = file->private_data, *kill = NULL; + + if (poll) + return poll; +@@ -122,10 +122,12 @@ vcs_poll_data_get(struct file *file) + file->private_data = poll; + } else { + /* someone else raced ahead of us */ +- vcs_poll_data_free(poll); ++ kill = poll; + poll = file->private_data; + } + spin_unlock(&file->f_lock); ++ if (kill) ++ vcs_poll_data_free(kill); + + return poll; + } diff --git a/queue-3.4/xen-blkback-correctly-respond-to-unknown-non-native-requests.patch b/queue-3.4/xen-blkback-correctly-respond-to-unknown-non-native-requests.patch new file mode 100644 index 00000000000..fdb90b49937 --- /dev/null +++ b/queue-3.4/xen-blkback-correctly-respond-to-unknown-non-native-requests.patch @@ -0,0 +1,177 @@ +From 0e367ae46503cfe7791460c8ba8434a5d60b2bd5 Mon Sep 17 00:00:00 2001 +From: David Vrabel +Date: Thu, 7 Mar 2013 17:32:01 +0000 +Subject: xen/blkback: correctly respond to unknown, non-native requests + +From: David Vrabel + +commit 0e367ae46503cfe7791460c8ba8434a5d60b2bd5 upstream. + +If the frontend is using a non-native protocol (e.g., a 64-bit +frontend with a 32-bit backend) and it sent an unrecognized request, +the request was not translated and the response would have the +incorrect ID. This may cause the frontend driver to behave +incorrectly or crash. + +Since the ID field in the request is always in the same place, +regardless of the request type we can get the correct ID and make a +valid response (which will report BLKIF_RSP_EOPNOTSUPP). + +This bug affected 64-bit SLES 11 guests when using a 32-bit backend. +This guest does a BLKIF_OP_RESERVED_1 (BLKIF_OP_PACKET in the SLES +source) and would crash in blkif_int() as the ID in the response would +be invalid. + +Signed-off-by: David Vrabel +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkback/blkback.c | 31 +++++++++++++++++++++++++++---- + drivers/block/xen-blkback/common.h | 25 +++++++++++++++++++++++++ + include/xen/interface/io/blkif.h | 10 ++++++++++ + 3 files changed, 62 insertions(+), 4 deletions(-) + +--- a/drivers/block/xen-blkback/blkback.c ++++ b/drivers/block/xen-blkback/blkback.c +@@ -422,6 +422,16 @@ static int dispatch_discard_io(struct xe + return err; + } + ++static int dispatch_other_io(struct xen_blkif *blkif, ++ struct blkif_request *req, ++ struct pending_req *pending_req) ++{ ++ free_req(pending_req); ++ make_response(blkif, req->u.other.id, req->operation, ++ BLKIF_RSP_EOPNOTSUPP); ++ return -EIO; ++} ++ + static void xen_blk_drain_io(struct xen_blkif *blkif) + { + atomic_set(&blkif->drain, 1); +@@ -543,17 +553,30 @@ __do_block_io_op(struct xen_blkif *blkif + + /* Apply all sanity checks to /private copy/ of request. */ + barrier(); +- if (unlikely(req.operation == BLKIF_OP_DISCARD)) { ++ ++ switch (req.operation) { ++ case BLKIF_OP_READ: ++ case BLKIF_OP_WRITE: ++ case BLKIF_OP_WRITE_BARRIER: ++ case BLKIF_OP_FLUSH_DISKCACHE: ++ if (dispatch_rw_block_io(blkif, &req, pending_req)) ++ goto done; ++ break; ++ case BLKIF_OP_DISCARD: + free_req(pending_req); + if (dispatch_discard_io(blkif, &req)) +- break; +- } else if (dispatch_rw_block_io(blkif, &req, pending_req)) ++ goto done; + break; ++ default: ++ if (dispatch_other_io(blkif, &req, pending_req)) ++ goto done; ++ break; ++ } + + /* Yield point for this unbounded loop. */ + cond_resched(); + } +- ++done: + return more_to_do; + } + +--- a/drivers/block/xen-blkback/common.h ++++ b/drivers/block/xen-blkback/common.h +@@ -76,11 +76,18 @@ struct blkif_x86_32_request_discard { + uint64_t nr_sectors; + } __attribute__((__packed__)); + ++struct blkif_x86_32_request_other { ++ uint8_t _pad1; ++ blkif_vdev_t _pad2; ++ uint64_t id; /* private guest value, echoed in resp */ ++} __attribute__((__packed__)); ++ + struct blkif_x86_32_request { + uint8_t operation; /* BLKIF_OP_??? */ + union { + struct blkif_x86_32_request_rw rw; + struct blkif_x86_32_request_discard discard; ++ struct blkif_x86_32_request_other other; + } u; + } __attribute__((__packed__)); + +@@ -112,11 +119,19 @@ struct blkif_x86_64_request_discard { + uint64_t nr_sectors; + } __attribute__((__packed__)); + ++struct blkif_x86_64_request_other { ++ uint8_t _pad1; ++ blkif_vdev_t _pad2; ++ uint32_t _pad3; /* offsetof(blkif_..,u.discard.id)==8 */ ++ uint64_t id; /* private guest value, echoed in resp */ ++} __attribute__((__packed__)); ++ + struct blkif_x86_64_request { + uint8_t operation; /* BLKIF_OP_??? */ + union { + struct blkif_x86_64_request_rw rw; + struct blkif_x86_64_request_discard discard; ++ struct blkif_x86_64_request_other other; + } u; + } __attribute__((__packed__)); + +@@ -262,6 +277,11 @@ static inline void blkif_get_x86_32_req( + dst->u.discard.nr_sectors = src->u.discard.nr_sectors; + break; + default: ++ /* ++ * Don't know how to translate this op. Only get the ++ * ID so failure can be reported to the frontend. ++ */ ++ dst->u.other.id = src->u.other.id; + break; + } + } +@@ -293,6 +313,11 @@ static inline void blkif_get_x86_64_req( + dst->u.discard.nr_sectors = src->u.discard.nr_sectors; + break; + default: ++ /* ++ * Don't know how to translate this op. Only get the ++ * ID so failure can be reported to the frontend. ++ */ ++ dst->u.other.id = src->u.other.id; + break; + } + } +--- a/include/xen/interface/io/blkif.h ++++ b/include/xen/interface/io/blkif.h +@@ -138,11 +138,21 @@ struct blkif_request_discard { + uint8_t _pad3; + } __attribute__((__packed__)); + ++struct blkif_request_other { ++ uint8_t _pad1; ++ blkif_vdev_t _pad2; /* only for read/write requests */ ++#ifdef CONFIG_X86_64 ++ uint32_t _pad3; /* offsetof(blkif_req..,u.other.id)==8*/ ++#endif ++ uint64_t id; /* private guest value, echoed in resp */ ++} __attribute__((__packed__)); ++ + struct blkif_request { + uint8_t operation; /* BLKIF_OP_??? */ + union { + struct blkif_request_rw rw; + struct blkif_request_discard discard; ++ struct blkif_request_other other; + } u; + } __attribute__((__packed__)); + diff --git a/queue-3.4/xen-blkback-fix-dispatch_rw_block_io-error-path.patch b/queue-3.4/xen-blkback-fix-dispatch_rw_block_io-error-path.patch new file mode 100644 index 00000000000..c86ad172bcf --- /dev/null +++ b/queue-3.4/xen-blkback-fix-dispatch_rw_block_io-error-path.patch @@ -0,0 +1,49 @@ +From 0e5e098ac22dae38f957e951b70d3cf73beff0f7 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Mon, 11 Mar 2013 09:39:55 +0000 +Subject: xen-blkback: fix dispatch_rw_block_io() error path + +From: Jan Beulich + +commit 0e5e098ac22dae38f957e951b70d3cf73beff0f7 upstream. + +Commit 7708992 ("xen/blkback: Seperate the bio allocation and the bio +submission") consolidated the pendcnt updates to just a single write, +neglecting the fact that the error path relied on it getting set to 1 +up front (such that the decrement in __end_block_io_op() would actually +drop the count to zero, triggering the necessary cleanup actions). + +Also remove a misleading and a stale (after said commit) comment. + +Signed-off-by: Jan Beulich +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkback/blkback.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/block/xen-blkback/blkback.c ++++ b/drivers/block/xen-blkback/blkback.c +@@ -742,13 +742,7 @@ static int dispatch_rw_block_io(struct x + bio->bi_end_io = end_block_io_op; + } + +- /* +- * We set it one so that the last submit_bio does not have to call +- * atomic_inc. +- */ + atomic_set(&pending_req->pendcnt, nbio); +- +- /* Get a reference count for the disk queue and start sending I/O */ + blk_start_plug(&plug); + + for (i = 0; i < nbio; i++) +@@ -776,6 +770,7 @@ static int dispatch_rw_block_io(struct x + fail_put_bio: + for (i = 0; i < nbio; i++) + bio_put(biolist[i]); ++ atomic_set(&pending_req->pendcnt, 1); + __end_block_io_op(pending_req, -EINVAL); + msleep(1); /* back off a bit */ + return -EIO; -- 2.47.3